Microsoft Temporarily KOs Dangerous Citadel Botnet


Microsoft said late Wednesday that it took legal action to disrupt the dangerous Citadel botnet, which is behind the Zeus Trojan family of banking malware responsible for bilking millions from the accounts of its victims over the past several years.

The software giant obtained a court-ordered civil seizure warrant from the U.S. District Court for the Western District of North Carolina to take over the command and control servers behind a large part of Citadel, according to Richard Boscovich, assistant general counsel at Microsoft's Digital Crimes Unit.

"Microsoft executed a simultaneous operation to disrupt more than 1,400 Citadel botnets, which are responsible for over half a billion dollars in losses to people and businesses worldwide," Boscovich wrote in an announcement about the operation. "We do expect that this action will significantly disrupt Citadel's operation, helping quickly release victims from the threat and making it riskier and more costly for the cybercriminals to continue doing business."

[Related: Top 10 Malware Threats To Microsoft PCs
]

The action, code-named Operation b54, was first reported by Reuters, which found that Citadel wouldn't be completely wiped out, enabling the cybercriminals behind the botnet to eventually recover operations. The seizure marked the seventh action that Microsoft and other security firms have undertaken to disrupt botnets. The Financial Services Information Sharing and Analysis Center, the Electronic Payments Association and the American Bankers Association took part in the seizure.

Microsoft also worked with the FBI, which served search warrants related to the botnets. The FBI was to inform foreign law enforcement about the operation in an attempt to voluntarily take out botnet infrastructure located outside the U.S., according to an FBI press release on the matter.

In its preliminary injunction requesting the Citadel seizure warrant, Microsoft said the botnet operators are believed to be based in the Ukraine or Russia. The attackers controlled an estimated 3 million to 5 million PCs to spread malware, spam and steal usernames and passwords to access bank accounts. The attackers are running a "particularly sophisticated and destructive botnet enterprise," Microsoft said, significantly impacting account holders at Bank of America, Wells Fargo, Citibank and Chase. Security firms have noted an increasing number of Zeus infections.

The unnamed defendants in the Microsoft complaint included the author of the Citadel Builder Kit, an automated attack toolkit that enabled other attackers to create and operate a Citadel botnet. Microsoft named 81 other defendant "John Does" that purchased and operated more than 1,400 Citadel botnets around the world.

The court document also outlines the extent of the business operation behind the massive botnets with the creation of the Citadel customer relationship management (CRM) tool, which provided updates and technical support to botnet operators.

Infected computers were programmed to contact command and control server every 20 minutes for updates and instructions from the botnet operators, according to Microsoft. Citadel also blocked access to many legitimate antivirus and antimalware websites, making it difficult for victims to find information to remove infections from their PCs. The attackers also "fraudulently obtained product keys created by key generators for outdated Windows XP software to develop their malware and grow their business, demonstrating another link between software piracy and global cybersecurity threats," Boscovich said.

Security experts point out that botnets such as Citadel that fuel financially motivated cybercrime and those that are behind smaller, more targeted operations to steal intellectual property spread quickly because of many basic security lapses. Businesses need to focus on logging and monitoring, addressing vulnerabilities and configuration weaknesses that enable attackers to set up botnets and steal sensitive data, said Vinnie Liu, a prominent penetration tester, and partner and co-founder at Phoenix-based Bishop Fox, a consultancy and managed security services provider. Individuals need to maintain stronger passwords and adopt two-factor authentication when possible, Liu said.

"If people had patching and password management down, they would eliminate 75 [percent] or 80 percent of the problems that are out there," Liu told CRN. "It's true that a lot of these attacks are getting in by the simplest ways and it's not something sexy that can be marketed, but the fact is that's what it usually boils down to."

Security researchers have been closely monitoring Citadel and analyzing the techniques used by botnet operators and the sophistication of the Zeus family of banking malware it spreads. The source code for Zeus was made widely available in 2011, giving the malware a boost with additional contributors.

Microsoft and other security firms have disrupted six other botnets in recent years as part of its Project MARS, the Microsoft Active Response for Security program. Many of the botnets are tied to extensive spam campaigns that are behind most of the unwanted messages sent globally. In addition to spam, attackers use spambots for phishing attack campaigns and to spread malware. Microsoft worked with Symantec to disrupt the Bamital botnet in February. That botnet was tied to 8 million malware-infected computers. Bamital defrauded online advertising networks and redirected victims to malicious websites.

Other security firms, including Kaspersky Lab and Dell-SecureWorks, used technical means to disrupt botnets and monitor operations. Kaspersky and Dell-SecureWorks played roles in taking out the Kelihos peer-to-peer botnet in 2011.

Microsoft noted several security firms for their work in the investigation. Palo Alto, Calif.-based antispam and phishing firm Agari provided forensic data through its email collection service, and networking vendors A10 Networks and Nominum provided support during the disruption.

PUBLISHED JUNE 6, 2013